From 0f41fce845757e0d986be0c00f290ef1da7dc1e1 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <fox@madoka.volgo-balt.ru>
Date: Fri, 26 Nov 2010 12:31:01 +0300
Subject: change behaviour of SESSION_CHECK_ADDRESS

---
 config.php-dist |  8 ++++++--
 functions.php   | 33 ++++++++++++++++++++-------------
 2 files changed, 26 insertions(+), 15 deletions(-)

diff --git a/config.php-dist b/config.php-dist
index 824b843c7..f3045f70e 100644
--- a/config.php-dist
+++ b/config.php-dist
@@ -49,8 +49,12 @@
 	// configurations. Doesn't seem to work for everyone, so enable with caution.
 	// tt-rss uses default PHP session storing mechanism if disabled.
 
-	define('SESSION_CHECK_ADDRESS', true);
-	// Bind session to client IP address (recommended)
+	define('SESSION_CHECK_ADDRESS', 1);
+	// Check client IP address when validating session:
+	// 0 - disable checking
+	// 1 - check first 3 octets of an address (recommended)
+	// 2 - check first 2 octets of an address
+	// 3 - check entire address
 
 	define('SESSION_COOKIE_LIFETIME', 0);
 	// Default lifetime of a session (e.g. login) cookie. In seconds, 
diff --git a/functions.php b/functions.php
index d874ba3b9..1d37727fe 100644
--- a/functions.php
+++ b/functions.php
@@ -1901,22 +1901,29 @@
 	}
 
 	function validate_session($link) {
-		if (SINGLE_USER_MODE) { 
-			return true;
-		}
+		if (SINGLE_USER_MODE) return true;
 
-		if (SESSION_CHECK_ADDRESS && $_SESSION["uid"]) {
-			if ($_SESSION["ip_address"]) {
-				if ($_SESSION["ip_address"] != $_SERVER["REMOTE_ADDR"]) {
-					$_SESSION["login_error_msg"] = __("Session failed to validate (incorrect IP)");
-					return false;
-				}
-			}
-		}
+		$check_ip = $_SESSION['ip_address'];
 
-		if ($_SESSION["ref_schema_version"] != get_schema_version($link, true)) {
+		switch (SESSION_CHECK_ADDRESS) {
+		case 0:
+			$check_ip = '';
+			break;
+		case 1:
+			$check_ip = substr($check_ip, 0, strrpos($check_ip, '.')+1);
+			break;
+		case 2:
+			$check_ip = substr($check_ip, 0, strrpos($check_ip, '.'));
+			$check_ip = substr($check_ip, 0, strrpos($check_ip, '.')+1);
+			break;
+		};
+
+		if ($check_ip && strpos($_SERVER['REMOTE_ADDR'], $check_ip) !== 0)
+				$_SESSION["login_error_msg"] = 
+					__("Session failed to validate (incorrect IP)");
+
+		if ($_SESSION["ref_schema_version"] != get_schema_version($link, true))
 			return false;
-		}
 
 		if ($_SESSION["uid"]) {
 
-- 
cgit v1.2.3